Running Policy Server, when changing User Password directly in the User Store with Apache Directory Studio (or other LDAP tools), the Password Policy doesn't get triggered after the due date to change the password.

The password doesn't expire after X days based on the Password Policy if the password gets reset with the Apache Directory studio client before "X days" as configured in the SiteMinder's Password Policy object.

To illustrate:

With configuration:

Password expires if not changed
After Days    2
Force password change

If the user logs in on day 1 with the correct password, then the disable flag will keep the value 0.

If the user login 3 days later, the disable flag will still be 0. Then because it's already 3 days, the Policy Server will change the value to 16777216, and the browser will be redirected to the password services page. The disable flag value will change to 0 when the user will have changed the password.

Now, with the same scenario above, when using the external LDAP tool to change the password the day 2, then the Policy Server will not request the browser to change the password when the user will try to log in on day 3.

The behavior is by design. When changing the user password outside SiteMinder, the Policy Server will compare the password with the Password Blob data against the list of former passwords.

The Policy Server will compare the old password with the password from the LDAP, and if both are different then the Policy Server will append the new password to the password list and it will also change the LastPWChange will become current time.

To force the user to change again the password when login in, use a custom SDK code to set the disable flag to 16777216 at the moment of changing the User password outside SiteMinder.